yum install allows manual input

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > yum install allows manual input

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: 6e19193a-8753-436d-8a09-76dcff91bb03

Cloud Provider: Dockerfile

Platform: Dockerfile

Severity: Low

Category: Supply-Chain

Learn More

Provider Reference

Description

RUN instructions that invoke yum install without a non-interactive flag can prompt for user input during image builds, causing automated CI/CD pipelines to hang or produce inconsistent images when builds are completed manually.

Check Dockerfile RUN commands for invocations of yum install (including groupinstall or localinstall). The command must include a non-interactive flag such as -y, yes, or --assumeyes. This rule flags RUN entries where a yum install is detected but none of those flags are present. It applies to both single-string RUN commands and list-form RUN arguments.

Secure example:

RUN yum -y install curl

Compliant Code Examples

FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]

Non-Compliant Code Examples

FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install bundler
RUN ["sudo yum", "install", "bundler"]
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]